Plesk 10 Pci Compliance Guide

8/2/2019 Plesk 10 Pci Compliance Guide

1/10

Parallels

Plesk Panel


2/10

Copyright Notice

Parallels Holdings, Ltd.

c/o Parallels International GmbH

Vordergasse 59

CH-Schaffhausen

Switzerland

Phone: +41-526320-411

Fax: +41-52672-2010

Copyright 1999-2011 Parallels Holdings, Ltd. and its affiliates. All rights reserved.This product is protected by United States and international copyright laws. The products

underlying technology, patents, and trademarks are listed at http://www.parallels.com/trademarks.

Microsoft, Windows, Windows Server, Windows NT, Windows Vista, and MS-DOS are registeredtrademarks of Microsoft Corporation.

Linux is a registered trademark of Linus Torvalds.

Mac is a registered trademark of Apple, Inc.

All other marks and names mentioned herein may be trademarks of their respective owners.


3/10

Contents

Securing Servers in Compliance with PCI Data Security Standard 4Securing Linux-based Servers ...................................................................................................... 4Securing Microsoft Windows-based Servers ................................................................................ 8


4/10

To reduce the risk of compromising sensitive data hosted on your server, you mightwant to implement special security measures that comply with the Payment CardIndustry Data Security Standard (PCI DSS). The standard is intended to helporganizations protect customer account data. For detailed information about thestandard, refer tohttps://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.

The following sections describe the steps required to achieve PCI compliance for Linuxand Microsoft Windows-based systems.

In this chapter:

Securing Linux-based Servers .......................................................................... 4Securing Microsoft Windows-based Servers ..................................................... 8

Securing Linux-based ServersThis section describes the steps that you should perform if you want to secure yourserver and achieve compliance with PCI DSS on a Linux server.

Before you begin, make sure that you have the latest version of OpenSSHand updateit if required. This is achieved by completing the following steps:

1. Install or update the SSH server by running one of the commands:

On RPM package-based systems,

yum install openssh-server

On DEB package-based systems,

aptitude install openssh-server

2. Change the default SSH server port by removing the leading # symbol andmodifying the port value in /etc/ssh/sshd_config, the line

#Port 22

3. Restart the SSH server.

/etc/init.d/ssh restart

Then you need to run the PCI Compliance Resolver utility available from the Parallels

Plesk Panell installation directory. It will disable weak SSL ciphers and protocols forweb and e-mail servers operated by Parallels Plesk Panel.

C H A P T E R 1

Securing Servers in Compliance with PCI

Data Security Standard


5/10

Securing Servers in Compliance with PCI Data Security Standard 5

To run the utility:

1. Log in to the server shell.

2. Issue the following command:/usr/local/psa/admin/bin/pci_compliance_resolver --enable all

The following table describes all options supported by the utility.

Option Description

-- enable all | --disable all The option "-- enable all" switches off weak SSL ciphersand protocols for Web and e-mail servers.

The option "--disable all" reverts all changes made by theutility and restores original configuration files, thereby

allowing weak SSL ciphers and protocols for connections toWeb and e-mail servers.

-- enable courier | --disablecourier

Switches off or switches on weak SSL ciphers andprotocols for connections to Courier IMAP mail server.

-- enable apache | --disableapache

Switches off or switches on weak SSL ciphers andprotocols for connections to the Apache Web server thatserves users' sites.

-- enable panel | --disable panel Switches off or switches on weak SSL ciphers andprotocols for connections to Parallels Plesk Panel.

Some PCI compliance scanners may require that the medium strength SSL ciphers foraccess to the Panel be also switched off. For this reason, after you have run the utility,you need to modify a configuration file that was created by it.

1. Open for editing the file

/usr/local/psa/admin/conf/cipher.lst .

2. Remove all lines from the file.

3. Insert the following line:

ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA KRB5-

DES-CBC3-MD5 KRB5-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-DES-CBC3-SHA DES-CBC3-MD5

4. Save the file.

5. Restart the Web server by running the command /etc/init.d/sw-

cp-server restart.

Now you need to switch off weak SSL ciphers for connections to Qmail or Postfix e-mail server, if you use any of them.

If you use Qmail mail server, issue the following commands at the prompt:echo 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM' >/var/qmail/control/tlsserverciphers


6/10

6 Securing Servers in Compliance with PCI Data Security Standard

echo 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM' >/var/qmail/control/tlsclientciphers

If you use Postfix mail server, modify configuration files:

1. Open for editing the file /etc/postfix/main.cf.

2. Add the fol lowing lines to the file:

smtpd_tls_protocols = SSLv3, TLSv1smtpd_tls_ciphers = mediumsmtpd_tls_exclude_ciphers = aNULLsmtpd_sasl_security_options = noplaintext

3. Save the file.

4. Restart the mail server by running the command/etc/init.d/postfix restart.

You also need to prohibit access to MySQL database server from external addresses.To do this, in a firewall that protects your Panel-managed server, add or enable a rulethat prohibits TCP and UDP connections to the port 3306 from all addresses except127.0.0.1.

To use the firewall that comes with your Parallels Plesk Panel for Linux:

1. Log in to the Panel as administrator.

2. If you did not install the firewall component, install it:

a. Go to Home > Updates (in the Help & Support group).

b. Click the link corresponding to your version of the Panel.

c. Locate Plesk Firewall module, select the corresponding check box,and click Install.

3. Configure the firewall rule that blocks external MySQL connections andswitch the firewall on:

a. Click the Settings link in the navigation pane.

b. Click Manage Firewall Rules, and then Edit Firewall Configuration.

c. Click the MySQL server link.

d. Select the Deny option and click OK.

e. Click Activate to apply the configuration, and then click Activateagain to switch on the firewall.

To alleviate security risks arising from disclosure of information about files and theirproperties by Apache Web server, configure the FileETag directive in the Web serverconfiguration file.

To do this:

1. Open for editing the Web server's configuration file.


7/10


On Debian, Ubuntu, and SuSE Linux, it is located at

/etc/apache2/apache2.conf.

On other distributions of Linux, it is located at/etc/httpd/conf/httpd.conf.

2. Locate the line FileETag INode MTime Size and remove the

INode keyword from this line.

3. Save the file.

4. Restart the Web server.

On Deb package-based systems, issue the command /etc/init.d/apache2restart

On RPM package-based systems, issue the command /etc/init.d/httpdrestart

If you use Parallels Plesk Panel with Customer and Business Manager, dothe following to switch on strong SSL ciphers on the server:

1. Open for editing the file /etc/sw-cp-

server/applications.d/hspc-httpd.conf .

2. Locate the line ssl.engine = "enable".

3. Add the fol lowing text after this line:

ssl.cipher-list = "ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-

SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:ADH-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-

MD5:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:ADH-RC4-MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5"

4. Save the file.

5. Restart the service by running the command /etc/init.d/sw-cp-

server restart.

To prevent ProFTPd from showing information about its version on FTP

connections:1. Open for editing the ProFTPd configuration file. It is is

/etc/proftpd.conf or/usr/local/etc/proftpd.conf ,

depending on your installation.

2. Insert the following line into the file: ServerIdent off

3. Save the file.


8/10


Securing Microsoft Windows-based

ServersThis section describes the steps that you should perform if you want to secure yourserver and achieve compliance with PCI DSS on a Microsoft Windows-based server.

Important: We highly recommend that you configure the Windows firewall in theserver operating system to block all remote procedure calls (RPC) andcommunications to the Windows Management Instrumentation (WMI) services.

Securing Remote Desktop connectionsSet up encryption of the remote desktop connections to prevent man-in-the-middleattacks. For instructions, refer to http://technet.microsoft.com/en-us/library/cc782610.aspx.

Changing Remote Desktop connections port

Some PCI scanners report a man in the middle attack if you do not change the RDP

port to a custom value. To do it, compete the following steps:

1. Run the regedit utility by clicking Start > Run, typing regedit, and then clicking OK.

2. Change the port value by modifying the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

Prohibiting access to MySQL database server from external addresses,use the firewall functions built into your Parallels Plesk Panel

1. Log in to the Panel as administrator.

2. Click the Settings link in the navigation pane.

3. Click Manage Firewall Rules.

4. Click Switch On.


9/10


Switching off weak SSL ciphers for Web server in Parallels Panel forMicrosoft Windows Server 2003 and 2008

1. Copy the following text to the clipboard:

REGEDIT4[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]"Enabled"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]"Enabled"=dword:00000000

2. Log in to the server over a Remote Desktop connection.

3. When in the server's operating system, open Notepad or any other text

editor, and create a file with the reg extension.

4. Paste the text from the clipboard into this file.

5. Save the file.

6. Double-click the file to open it.


10/10


7. When prompted, confirm addition of new keys to the registry.

8. Restart the operating system.

Note: Some applications on the server that use weak SSL ciphers and protocols maystop working.

Documents

Plesk 10 Pci Compliance Guide